8735d4ed13c0bed617f8db84f6f118d2d7f13013ba5ed2c306c62d2f766e573b

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 06:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8735d4ed13c0bed617f8db84f6f118d2d7f13013ba5ed2c306c62d2f766e573b.dll
Size

545KB
MD5

6c4f41b99117eb39e6aeda2913af61a0
SHA1

c4c3c0e6204efbd3554c90a81d824f9b507c6efe
SHA256

8735d4ed13c0bed617f8db84f6f118d2d7f13013ba5ed2c306c62d2f766e573b
SHA512

c9871bcc2eb7407427c70ab80fd29700e8f441954deb265548089f1eebd8053b8a570648f31132499b26365c226727c29003893218cba21a5d548153a60808aa
SSDEEP

12288:ZG2QHUqPsmpyYpL6w25KuvIHZVYwmP9XdSV+:ZG2IsmBCsa3XdSV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1996	dwm.exe

Loads dropped DLL 4 IoCs

pid	Process
1568	rundll32.exe
1568	rundll32.exe
2028	Process not Found
1996	dwm.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe
1568	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1568	rundll32.exe
1568	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 968 wrote to memory of 1568	968	rundll32.exe	27
PID 1568 wrote to memory of 1996	1568	rundll32.exe	28
PID 1568 wrote to memory of 1996	1568	rundll32.exe	28
PID 1568 wrote to memory of 1996	1568	rundll32.exe	28
PID 1568 wrote to memory of 1996	1568	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8735d4ed13c0bed617f8db84f6f118d2d7f13013ba5ed2c306c62d2f766e573b.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\8735d4ed13c0bed617f8db84f6f118d2d7f13013ba5ed2c306c62d2f766e573b.dll,#1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe
    C:\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe -poolip=54.200.248.75 -poolport=1337 -pooluser=AHXJ1dhkKiHmSFRT3g4LTEyGaomhL46N6m -poolpassword=x -genproclimit=8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iswizard05\libwinpthread-1.dll

Filesize
52KB

MD5
4c33c6fc8466bcfe9e79f3e6578f5ae5

SHA1
50589a405de4be0f04753b6d12c1edbbd0c8b911

SHA256
f4d88aa405096d178e1f11f7daa1d5863693340b82405a7fb1d7ca5863fdf50c

SHA512
ea57a3824775530db1ea3bd4cb28acc9358cc1f92b96c37b98114a36b03cec1231ea93326dd3b2ed859382608e156af1531a91c40198e57764653085fae93707

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\dwm.exe

Filesize
1.4MB

MD5
e5fe2a8179d2850a2c4496620de04dc5

SHA1
77a644368d7ff77f3f4ee9a75165f126529aa95f

SHA256
0d1f7f36427736f3132016027b2f06b8e1a40d21db88846d46e0ed9f2283497b

SHA512
4f0acf8147ab5978928cde60cfb2e328e17b41ba8128273a7a35d3fb9b70aa184fa0dd9dbd24a54b538ff445dd12fe81b63defbdbd74d3cc76b634068cc524d5

Download Submit
\Users\Admin\AppData\Local\Temp\iswizard05\libwinpthread-1.dll

Filesize
52KB

MD5
4c33c6fc8466bcfe9e79f3e6578f5ae5

SHA1
50589a405de4be0f04753b6d12c1edbbd0c8b911

SHA256
f4d88aa405096d178e1f11f7daa1d5863693340b82405a7fb1d7ca5863fdf50c

SHA512
ea57a3824775530db1ea3bd4cb28acc9358cc1f92b96c37b98114a36b03cec1231ea93326dd3b2ed859382608e156af1531a91c40198e57764653085fae93707

Download Submit
memory/1568-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download